MIS 9003 – Prof. Min-Seok Pang

Week 13 – Information Security

Information Disclosure and the Diffusion of Information Security Attacks Mitra & Ransbotham–Siddharth Bhattacharya

The paper talks about an ongoing debate in the research community about limited versus full disclosure about vulnerabilities that are often attacked on by third parties.Proponents of limited disclosure argue that it ensures that vendors and targets receive reasonable time to develop and deploy patches and countermeasures before systems are attacked,whereas the alternative full disclosure creates a window of opportunity for attackers before patches and countermeasures are deployed.On the other hand, full disclosure provides incentives to vendors to create better quality software and notifies security professionals so that they can install countermeasures immediately.Thus the paper wants to answer the questions:does full disclosure speed the diffusion of attacks corresponding to the vulnerability through the population of target systems?does full disclosure increase the risk that a firm is attacked for the first time on any specific day after the vulnerability is reported, given that it has not been attacked prior to that day?does full disclosure increase the number of target firms affected by attacks based on the vulnerability?does full disclosure increase the volume of attacks based on the vulnerability?.

The authors use measures developed in earlier literature to first form analytical estimates of various measures such as Na(t) cumulative number of attacked systems at time t,cumulative number of protected systems at time t ie Np(t) etc and then uses these for development of their hypothesis.Next,the authors augment this analytical analysis with two main data sources :a proprietary database of alerts generated from intrusion detection systems (IDSs) installed in client firms of an MSSP during 2006 and 2007 and second combine this panel data set with dates from the National Vulnerability Database (NVD) to obtain detailed characteristics of the vulnerabilities.

The authors use a series of models:a non-linear regression model,a cox model and finally a poisson model to corroborate all their hypotheses,all of which are supported.Results indicate that full disclosure accelerates the diffusion of attacks corresponding to a vulnerability. Full disclosure also increases the risk of first attack on any specific day after the vulnerability is reported.Full disclosure also increases the penetration of attacks within the population of target systems.Additionally, although the aggregate volume of attacks remains unaffected by full disclosure, attack activity shifts earlier in the life cycle of a vulnerability, thereby reducing its effective life span but intensifying activity while active.The paper makes several contributions.Practically, quantifying the net effect of information disclosure on the diffusion of attacks informs the continuing debate about the optimal disclosure of information security vulnerabilities.It also adds depth to the debate about limited versus full disclosure  and uncover a potential negative effect of full disclosure.Finally it adds to the diffusion of innovation literature by focusing on the diffusion of a societally undesirable innovation versus positive innovations studied before.

Week 13 – Wang et al. 2015 – Joe

Wang, J., Gupta, M., & Rao, H. R. (2015). Insider threats in a financial institution: Analysis of attack-proneness of information systems applications. MIS quarterly39(1).

Insider threats to information security are considered to be a critical issue for organizations. However, research on quantification of the risk of insider threats on information assets is sparse. Extending from the original context of explaining predatory crimes in the physical environment, this paper synthesizes routine activity theory (RAT) with survival modeling, and makes the following main contributions: In order to understand what causes applications to be exposed to insider threats, the study conceptualizes and operationalizes the main constructs of RAT (value, inertia, visibility, accessibility (VIVA), and absence of guardians) in the domain of information systems security.

To quantify the risk that an application will experience unauthorized access attempts, the authors applied survival modeling. With log data of an enterprise single sign-on (ESSO) system and information regarding integrated IS applications from a regional financial institution, the authors then focus on the investigate the main constructs of RAT. The survival analysis results show that 1) the business value of an application (BVM) increased the risk of an application experiencing unauthorized attempts; 2) Control strength (CSTR) decreased the risk of an application experiencing unauthorized attempts; 3) Access prevalence level (log (APL)) increased the risk of an application experiencing unauthorized attempts; 4) OLIM increased the risk of an application experiencing unauthorized attempts; 5) data protection level (DPL) decreased the risk of an application experiencing unauthorized attempts. Basically, all the five hypotheses are supported by the empirical results.

Theoretically, this paper introduces the measurements for managing risks against insider threats within an organization. They conceptualized and operationalized the risk of insider threats associated with information assets, thus providing a foundation for future research in risk management of digital assets. Practically, this study suggested that practice of risk management of IS applications should be adapted to the organizational context, and account for users’ behavioral patterns.

Week 13 Reading Summary – Pang and Tanriverdi (2017) – Xi Wu

Pang and Tanriverdi (2017) Security Breaches in the U.S. Federal Government

There has been limited research on the mitigation mechanisms of security vulnerabilities with actual breach incident data at the organization level. This paper studies the effectiveness of three organizational IT risks mitigation mechanisms: modernization of legacy IT systems, institution of effective IT GRC, and migration of legacy IT system to the cloud. The hypotheses are developed based on criminology theories such as rational choice theory and crime opportunity theory. (1) Federal agencies that spend higher percentages of their IT budgets on the maintenance of legacy IT systems are likely to experience more security incidents than ones that spend higher percentages of their IT budgets on IT modernization and new IT development; (2a) IT GRC effectiveness reduces security incidents in federal agencies; (2b) IT GRC effectiveness substitutes IT modernization in reducing security incidents; (3) Federal agencies that migrate their IT systems more to the cloud are likely to experience fewer security incidents.

The unit of analysis is a U.S. federal agency. Data on security incidents in the federal agencies is obtained by FIMSA report. Security breaches to the federal agencies in 2005-2016 is obtained from an independent source PRC. Data on the IT investment profiles of federal agencies is collected from the Federal IT Dashboard.

The study finds that (1) A 1%-point increase in the share of IT modernization in the IT budget is associated with a 5% decrease in security incidents. (2) the institution of effective IT GRC mechanisms significantly reduces the security incidents. (3) a negative interaction effect between IT modernization and IT GRC. The findings complement the extant IS security literature on the technical mitigating mechanisms by assessing the effectiveness of more managerially actionable mechanisms.

Paper Summary- Jack Tong

Angst, Corey, et al. “When Do IT Security Investments Matter? Accounting for the Influence of Institutional Factors in the Context of Healthcare Data Breaches.” MIS Quarterly, vol. 41, no. 3, 2017, pp. 893–916.

The authors explore an interesting question about how hospital factors determine the extent to which they are symbolic or substantive adopters of IT specific practices. Institutional theory distinguishes between symbolic and substantive adoption in order to account for the degree to which the activities of a firm are accurately reflected in the signals they communicate to relevant stakeholders. Substantive adoption represents one extreme, where signals are accurate representations of adopted practices and are tightly integrated with the organization’s core operation; where symbolic adoption is intended to enhance a firm’s external validation or legitimacy rather than achieve a specific technical benefit. Using data from three different sources, they create a panel of more than 5,000 U.S. hospitals and 938 breaches over 8 years. They use a growth mixture model approach to model the heterogeneity in likelihood of breach and they apply a two class solution in which hospitals that (1) belong to smaller health systems, (2) are older, (3) smaller in size, (4) for-profit, (5) nonacademic, (6) faith-based, and (7) less entrepreneurial with IT are classified as symbolic adopters. Their findings indicate that symbolic adoption diminishes the effectiveness of IT security investments, resulting in an increased likelihood of breach. Contrary to their theorizing, the use of more IT security is not directly responsible for reducing breaches, but instead, institutional factors create the conditions under which IT security investments can be more effective.

Week 13- Reading Summary – Leting Zhang

Angst, C.M., Block, E.S., D’arcy, J. and Kelley, K., 2017. When do IT security investments matter? Accounting for the influence of institutional factors in the context of healthcare data breaches. MIS Quarterly, 41(3), pp.893-916.

Although organizations take numerous approaches to secure their IT asset, data breach incidents still happen very frequently across industries. To investigate the underlying reasons, this study examines the effectiveness of IT  security investment in the healthcare industry through the lens of Neo – institutional theory, specifically,  how symbolic adoption and substantive adoption influence the success of security investment, what kinds of institutional factors  associated with the two types of adoptions, why IT security investment has a delayed effect.

According to the institutional theory, the motivation to adopt a practice is not only by actual benefit, but also to seek legitimacy in the social structure. In most cases, this pressure can result in symbolic adoption, which means practice would not be fully implemented and their benefit would not be maximized. However, symbolic adoption and substantive adoption can not be observed directly, so the paper suggests several organizational characteristics that can predict each type of adoption. Combining with theory and available data,  the study proposes that these characteristics can contribute to symbolic adoption: 1. members of smaller health systems; 2. long  established; 3. smaller size; 4. for-profit; 5. teaching ; 6.faith-based;7. less entrepreneurial ; then it further suggests 1. more IT security investment will reduce breaches; 2. substantive adoption will enhance the effectiveness of IT security investment over time; 3.symbolic  adoption will decrease the effectiveness of IT security investment in the over time.

It collects hospital level data from HIMSS and data breach incidents from different sources. Then, it uses a growth mixture model (GMM) for dichotomous outcomes to test hypotheses. A part of hypotheses are supported by the results.

Week 13 Reading Summary (HK)

Kwon, J. & Johnson, M. E. (2014). Proactive versus reactive security investments in the healthcare sector. MIS Quarterly, 38(2), 451-471.

The legislative mandates to disclose security breaches coupled with the detailed data available on security investments makes the healthcare sector a viable industry to consider the impact of proactive versus reactive security investments. Proactive investments are those conducted by the organization prior to an issue or breach. Conversely, reactive investments are those that occur after an incident to respond to said incident. Data from the Healthcare Information Management Systems Society from 2005-2009 was collected to allow for a Cox Proportional Hazard Model to be performed on a sample of 2,386 healthcare organizations. The analysis provided a perspective considering the learning opportunity benefits and the cost effectiveness of healthcare security investments.

Results indicated that proactive security investments are associated with lower security failure rates. This supports the notion that attackers’ abilities and threats evolve at such a rapid pace that it is important to learn from proactive initiatives. Proactive investments are also associated with smaller breaches and lower breach notification costs than reactive investments. This finding is contrary to literature stating that proactive investing results in overinvestment stemming from uncertainty. Results also indicate that security investments have more significant effects on external than internal failures. Regardless of investment type, effects are larger at the state level than the organization level indicating that security investments create positive externalities (i.e., they improve security for all parties involved). Results also indicate that voluntarily made proactive investments are associated with superior performance to those made by external pressure. With external regulatory mandates, the organization might be trying to meet the mandates rather than conducting a threat analysis themselves. Finally, though external regulatory requirements attenuate learning from proactive investments, the requirements are at least not hurtful in failure-induced learning from reactive investments. Effectively, results indicate that CIOs should further emphasize proactive initiatives rather than purely reacting.